The invention is generally related to the generation and management of groups of individuals within a data processing environment, e.g., for use in applications such as electronic messaging, content management, security access control and software distribution.
As computer and networking technology has advanced, greater numbers of individuals have been linked together via interconnected computer systems to permit those individuals to perform both individual and collaborative tasks on those computer systems. In addition, the growth of public networks such as the Internet and the global telecommunications infrastructure has enabled individuals from different organizations and enterprises, as well as individuals from different parts of the globe, to effectively communicate and collaborate with one another.
When interacting with multiple individuals, a computer system typically requires some manner of identifying an individual, e.g., to determine where to send messages to that individual, to determine whether that individual is authorized to perform certain actions, etc. As a result, each individual that utilizes a computer system typically is associated with a set of data that is used by various computer systems to identify that individual. The data structures, which are often referred to as user records, typically include information such as name, network address, authorizations, and other data about an individual that may be useful in performing whatever tasks a computer system is performing on behalf of that individual. Depending upon the degree of interaction between a computer system and an individual, the user record may contain any amount of information about an individual, e.g., from only nominal information to fairly comprehensive information. For example, in an Internet email application, as little information as an email address may be tracked for certain individuals. In contrast, for an enterprise-wide groupware application, individuals may be associated with information such as name, department, facility, email address, physical address, network address, security authorizations, telephone numbers, etc.
While computers may interact with and perform tasks on behalf of individual users, in many instances, computers may be called upon to interact and/or perform tasks on behalf of multiple individuals. To support computer operations that deal with multiple individuals, a number of computer environments support the concept of a xe2x80x9cgroup,xe2x80x9d i.e., a logical representation of a collection of individuals.
Groups find utility in a wide variety of computer applications. For example, in electronic messaging applications, groups may be used to facilitate message distribution to various related individuals with common interests, common positions within an enterprise, etc. For example, groups may be defined for the members of a team or project, members of a particular department or level of management, members that work in the same facility, etc.
Groups also find utility in applications such as security management, content distribution and software distribution, where certain types of individuals may share common authorities, and thus be permitted to perform certain actions (or use or view certain content or software) that are not available to the entire set of individuals that may have access a particular computer system. For example, within a computer network environment, certain individuals that maintain and manage a computer network may be granted greater authority than other individuals to permit those xe2x80x9cadministratorsxe2x80x9d of the network to change settings and otherwise configure the network to fix errors or improve its performance. Also, in some instances, certain software applications or content may be restricted to viewing only by certain individuals, e.g., the members of a project or team. By placing all of these individuals into a common group, authorities may be defined for the group as a whole, which facilitates managing the authorities granted to various individuals.
To manage a group within a computer environment, some form of data structure is typically required to permit the individuals, or xe2x80x9cmembersxe2x80x9d of that group to be readily identified. Many computer environments utilize data structures known as xe2x80x9crecordsxe2x80x9d to store the data necessary to identify the members of a group, as well as additional information that is pertinent to all members of the group, e.g., granted authorities and the like.
Conventional groups share a common characteristic insofar as such groups are enumerated, whereby the members of the group are required to be individually identified and associated with the group. As a result members are typically added and removed to and from a group on a member-by-member basis.
Whereas enumerated groups are adequate for use in many applications, in some instances, the requirement to enumerate the members of a group becomes problematic, particularly for groups with large numbers of individuals, or within organizations having large numbers of users. For example, in a typical corporate enterprise, new employees are frequently hired, and current employees may leave the enterprise or change job descriptions with relative frequency. Moreover, employees may participate in a large number of different groups that span different aspects of an employee""s standing within an enterprise. For example, groups may be defined based upon projects, management positions, human resources, facilities, accounting, geography, interests, skills, etc.
Given that conventional groups require enumeration of members, whenever a new employee is hired, or an existing employee leaves or changes status, any groups that the employee is involved with (or will be involved with) typically must be updated. As a result, and particularly if employees are members of large numbers of groups, or if groups have relatively large numbers of employees that are constantly changing, it can be extremely difficult to keep all of an enterprise""s groups current. The burden on administrators just in keeping groups current can be significant, and can result in substantial expenditures of time and resources within an organization, if not be entirely prohibitive for some organizations.
Moreover, given typical inefficiencies within any organization, delays in manually incorporating changes into a computer environment after an employment status change are often inevitable. Particularly where individuals are granted authorities on a computer network based upon their employee status, or where groups are used for issuing critical communications to employees, delays in updating groups to reflect changes in employment status can limit employee productivity and otherwise hamper employees"" abilities to perform their jobs. As an example, if a new employee has to use a particular software application to perform his or her job, and access to that software application is reliant upon membership in a particular group, any delays in adding that employee to the group effectively hamper the employee""s ability to do the job.
In other environments, enumerated groups present additional concerns. For example, substantial resources are often devoted to mailing lists and other direct marketing databases to create groups of individuals that share common interests and might be receptive to particular marketing promotions. Creation of such lists is often labor intensive, and in some instances requires the manual addition of members to a group used for the mailing list. Automated tools have been developed to assist in xe2x80x9ccrawlingxe2x80x9d the Internet for potential group members; however, any members found by a crawler are often required to be individually added to the group. Given that mailing lists may have tens or hundreds of thousands of individual members, the use of enumerated groups in such instances can be unwieldy and complex.
Yet another limitation of conventional groups is that often the data structures representing such groups are required to be centralized within a single location, and often in an internal database having restricted access outside of a particular enterprise computer network. In many instances, however, it may be desirable to define groups that span different xe2x80x9cdomainsxe2x80x9d (i.e., computer environments such as enterprise networks or subnetworks), and/or different enterprises. Moreover, when different domains utilize different underlying database technologies to implement their user and group information, distributing a logical group across these various domains and enterprises is difficult.
Therefore, a significant need exists in the art for a manner of organizing and managing groups to provide greater flexibility, adaptivity and extensibility, particularly for groups comprising large numbers of individuals and/or spanning multiple domains and/or enterprises.
The invention addresses these and other problems associated with the prior art by providing an apparatus, program product, and method that utilize xe2x80x9cdynamicxe2x80x9d groups to represent collections of individuals in a computer environment. With a dynamic group consistent with the invention, a group membership criterion and a set of member identifiers are associated with one another within a dynamic group data structure, such that the set of member identifiers identifies those users from a plurality of users that meet the group membership criterion for the dynamic group. Moreover, through dynamic updates that may occur periodically and/or in response to predetermined events, the set of member identifiers for a dynamic group may be updated to reflect modifications to the plurality of users so as to maintain the identification of members in the dynamic group current, often with little or no manual intervention by an administrator or other computer user. Consequently, in the case of large groups and/or groups utilized in connection with user pools that frequently change, the use of dynamic groups as described herein greatly facilitates maintaining current group memberships.
Moreover, in some embodiments dynamic group data structures may be utilized in connection with multiple networked target computer environments having users that span multiple computer domains and/or enterprises. The target computer environments are networked with a hub computer upon which is resident a database that maintains a dynamic group data structure as described above, which may include users from multiple target computer environments. Within at least a portion of such target computer environments, mirrored group data structures may be distributed and maintained, with each including at least a subset of member identifiers from the set of member identifiers associated with the dynamic group data structure. Furthermore, the target computer environments in some instances may be implemented using different underlying platforms, and/or may be under the control of different enterprises. Through automated synchronization between the hub computer and the target computer environments, however, changes made to the dynamic group data structure and/or a mirrored group data structure may be propagated throughout the networked system as necessary to maintain synchronization between all relevant group data structures in the networked system.
These and other advantages and features, which characterize the invention, are set forth in the claims annexed hereto and forming a further part hereof. However, for a better understanding of the invention, and of the advantages and objectives attained through its use, reference should be made to the Drawings, and to the accompanying descriptive matter, in which there is described exemplary embodiments of the invention.